Multiple XSS vulnerabilities (oC-SA-2013-011)


Issued on:

24.03.2013

CVE:
  • CVE-2013-1890
Affected Software:
  • ownCloud Server < 5.0.1
Description

Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 5.0.0 allow remote attackers to inject arbitrary web script or HTML via

  • the “new_name” POST parameter to renameTag.php in /apps/bookmarks/ajax/
    • Commits: 1c63eb1 (stable5)
    • Risk: Medium
    • Note: Successful exploitation of this stored XSS requires the “bookmark” app to be enabled. (enabled by default)
  • multiple unspecified parameters to several files in apps/contacts/ajax/
    • Commits: ae9e5a4 (stable5)
    • Risk: Medium
    • Note: Successful exploitation of this stored XSS requires the “calendar” app to be enabled. (enabled by default)

Credits

The ownCloud Team would like to thank Dylan Irzi for discovering this vulnerabilities.